The next level of the OverTheWire Natas wargame is Level 14, which introduces SQL Injection, a very popular subject as of late.

The level starts out with a login dialog.

The source code is fairly straight forward. It’s doing a basic authentication query. It however, does have a handy “debug” flag, that if set, will print the query used to the screen.

<head><link rel="stylesheet" type="text/css" href=""></head> 
<div id="content"> 
if(array_key_exists("username", $_REQUEST)) { 
    $link = mysql_connect('localhost', 'natas14', '<censored>'); 
    mysql_select_db('natas14', $link); 
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) { 
        echo "Executing query: $query<br>"; 

    if(mysql_num_rows(mysql_query($query, $link)) > 0) { 
            echo "Successful login! The password for natas15 is <censored><br>"; 
    } else { 
            echo "Access denied!<br>"; 
} else { 

<form action="index.php" method="POST"> 
Username: <input name="username"><br> 
Password: <input name="password"><br> 
<input type="submit" value="Login" /> 
<? } ?> 
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div> 

I simply appended the URL with the parameters I wanted. I set the “debug” flag to a true value, and put in a junk username and password.

Since that showed me what query was being ran, I modified it to inject some code (” or 1=1 – ) to return all rows in the table, guaranteeing that at least one entry would show up. This ends up changing the SQL query to do a comparison based on username, OR where 1=1, which is always true. After that, the “– ” simply comments out the rest of the query, so that no issues arise from stuff later on. Make sure to have a space after the dashes, else it may not work. Once everything was completed, it showed me the password to the next level.